Features

A Deep Dive Into the General Data Protection Regulation

By Donald C. Dowling Jr.

Editor’s Note: The General Data Protection Regulation (GDPR) guides the use of data and the rights of citizens across the European Union (EU). Any organization working with the personal data of individuals in the EU is liable to maintain compliance. Because the regulation applies to data being maintained on your employees, global payroll and human resources will assume a leading role. Compliance is critical with the prospect of fines that can be revenue-based.

The following Q&A with Donald C. Dowling Jr., a shareholder with Littler law firm, is provided to assist leaders in global payroll who may be called upon to explain GDPR and its consequences to other departments within their organizations. Littler is the largest law firm in the world exclusively devoted to representing management in employment, employee benefits, and labor law matters. The firm has 80 offices globally, and more than 1,500 Littler attorneys who provide the firm’s clients with representation and daily advice on virtually all areas of labor and employment law.

How can global payroll teams play a strategic part in GDPR compliance?

The EU data protection law reaches its tentacles deep into the payroll process wherever an employer has European staff. What, specifically, a global payroll team needs to do about GDPR depends on the specific circumstances: Is the organization exporting payroll data about European staff to overseas headquarters in order to cut paychecks, taking the position that exports of pay data are necessary to comply with Europeans’ employment agreements under GDPR Article 49(1)(b)? Or is the employer transmitting payroll data about Europeans to an outsourced payroll provider under a GDPR Article 28 vendor/processor agreement? Has the employer notified its European staff about payroll processing sufficiently under GDPR Articles 13 and 14? Is the employer maintaining payroll information securely enough to comply with GDPR Article 32?

GDPR came into effect on May 25. New York Magazine called it “the most important data privacy law ever.” TheNew York Times called it “one of the toughest data privacy laws in the world” and added that it grants “a sweeping right to data access that Americans don’t have.” Is GDPR really such a game-changer?

Yes and no. The popular press articles on GDPR all but cried, “Chicken Little, the sky is falling!” And companies that process personal data about Europeans certainly got that message. Our clients have been quite concerned, as they should be.

In fact, yes, in a way the “sky” did “fall.” The EU did indeed impose a sweeping data law that fundamentally toughened up how businesses must process personal data about Europeans. The EU data law led to billions of euros in compliance costs, damages, and fines, and actually blocked countless trans-Atlantic data flows. The EU’s data law even sparked complex diplomatic negotiations between the EU Commission and the American federal government.

But the “EU data law” I’m referring to is not GDPR. The “sky fell” 20 years ago, on October 24, 1998—the effective date of the EU’s monumental predecessor data law, the EU’s old “Data Protection Directive.”

That old 1998 EU data law was, in essence, “EU Data Law Version 1.0.” GDPR is just a reboot, “Version 2.0.” On May 25, 2018, GDPR repealed, replaced, tweaked, and toughened the milestone 1990s-era European data law that companies on both sides of the Atlantic (and worldwide) have been wrestling with for two decades—a law that actually became a matter of American diplomacy. Remember the trans-Atlantic diplomatic machinations around Safe Harbor and Privacy Shield?

That said, as reboots go, GDPR is a big one. The attention-grabber is that GDPR spikes potential fines up to €20 million (about US$23 million) or 4% of a company’s worldwide annual revenues.

So was all of the GDPR media hype overblown? Is GDPR the latest Y2K?

There was a frenzy of publicity around GDPR—at least, we might fairly characterize the media coverage in Europe as a “frenzy.” In my view, though, the popular press covered GDPR in a way that’s grossly misleading.

I want to correct one big misperception. The news articles called GDPR “sweeping,” the “toughest” data protection law on Earth. In and of itself, that’s all true. That’s not misleading.

The problem is the press coverage suggested that on May 25 the EU dropped GDPR out of nowhere, like (say) Kanye West dropping a big new album. But GDPR is more like Kanye re-releasing a 20-year-old album with new graphics, a few fresh remixes, and some added bonus tracks. Even if critics declared Kanye’s new release his biggest record ever, they would be disingenuous unless they pointed out that we’ve been listening to most songs on this “new” album for 20 years. The GDPR publicity hype wrongly characterized an expanded re-release as an all-new album. (OK, my analogy is imperfect—Kanye released his first record in 2004.)

Still, the hype made its own impact. Press coverage significantly raised awareness among Europeans of their data protection rights. That will lead to more claims, tougher enforcement—and heightened accountability.

Who’s most affected here? Which companies need to scramble to get GDPR-compliant?

For most companies operating in Europe—companies with a core business other thanthe processing of personal data—GDPR is vital. But as a practical matter, it just toughens up a sweeping EU data law that’s been important for 20 years.

GDPR most profoundly affects big companies with large European operations whose core business is processing personal data—social media and consumer-facing financial services companies in particular. Look at all those new “Terms of Service” that became effective on May 25. For Google, Facebook, Twitter, Instagram, We-Chat, LinkedIn, and YouTube, GDPR is a game-changer.

On “GDPR Day” itself, May 25, the notorious European privacy avenger Max Schrems went after some of the biggest social media companies, filing the first-ever GDPR claims against them on GDPR’s “Day 1.” But remember that Schrems rose to fame filing landmark lawsuits (Schrems I and Schrems II) under the old EU data directive. Schrems is the guy who killed EU/U.S. Safe Harbor. Max Schrems’s May 25-filed GDPR claims advance strategies this guy pursued for years under the old, 1990s-era EU data law.

Are companies operating differently in an effort to achieve compliance with GDPR?

In Littler’s 7th Annual Employer Survey—completed by more than 1,100 executives based primarily in the United States—we actually addressed this very issue as companies were preparing for the implementation of GDPR. Roughly half of respondents (51%) reported that their human resources, legal, and information technology departments were working more collaboratively on information security and compliance with GDPR. At the same time, 47% of our U.S.-based respondents reported closer collaboration with European operations to achieve compliance.

Given the cross-functional teams needed to comply effectively with GDPR, we thought the degree of collaboration reported would have been higher. Fully addressing compliance with this comprehensive regulation requires the support of key departments responsible for handling EU personal data and the collaboration between multinational headquarters and their EU leadership. This is not an insignificant task. Companies that focus on collaboration to ensure GDPR compliance, however, will be ahead of the game for future changes in EU privacy law—like, next up, the EU’s incoming “ePrivacy Regulation.”

So, what parts of GDPR are new? What data protection mandates came into effect on May 25 that no one had to bother with back on May 24?

I’d say if you were to take a yellow highlighter to all of GDPR’s 99 articles and highlight the actual rules it imposes on companies that process personal data, about 80% to 90% of the rules restate, mimic, or tweak old rules we’ve been living under for 20 years. That said, the new stuff—the new 10% to 20%—includes some very significant and tough rules. And GDPR tightens the screws on some of the pre-existing mandates.

First off, look at procedure. GDPR “federalizes” EU data law. The old EU data directive was a framework for local European country-level data laws—there used to be a French, a Dutch, a Greek data law, and so on. Now, GDPR is a regulation, not a directive, which means it’s a “federal” law the “Eurocrats” in Brussels impose directly across Europe. An EU-level “Supervisory Authority” is now in control, but the old member state “Data Protection Authorities” are still around, too. Lots of enforcers.

And again, GDPR ups the ante with its eye-popping maximum fine, €20 million or 4% of annual worldwide revenues. We’ll see how many times the EU actually imposes fines that high. In practice, the whopper fines might be mostly for Cambridge Analytica-level data protection violations.

As to newsubstantiverules, think back to my analogy of a re-released 20-year-old album with new bonus tracks, some fresh remixes, and new graphics and cover art.

GDPR adds some brand new rules—the all-new bonus tracks. Now, under GDPR, some (but far from all) companies have to appoint “Data Protection Officers” who actually enjoy job protection from “dismiss[al].” There are new corporate governance and accountability requirements, including some (but far from all) companies having to do grueling “Data Protection Impact Assessments” that can involve government oversight. GDPR mainstreams concepts called “privacy by design,” “privacy by default,” “anonymization,” and “pseudonymization”—but in many contexts, these might not compel big changes over old practices. Also, GDPR gives Europeans a new right of “data portability.” And GDPR adds breach notification mandates. There are also miscellaneous new provisions, like setting the age of consent for personal data processing for minors at 16.

In addition, GDPR toughens up certain pre-existing requirements—these are the fresh remixes. GDPR lays out tougher rules for data security, drafting data processing notices and “vendor management”—subcontracting data processing (what we now call “Article 28 Agreements”). These GDPR changes amount to important refinements, but the core concepts were there all along.

And there’s a third category of GDPR changes—superficial changes that people tell you are new, but that in practice just mimic rules under old data law. These are the new graphics and cover art. We can debate which parts of GDPR these are, but in my view, GDPR’s new so-called “right to be forgotten” is completely overblown, because the old data directive already conferred “data subject access” rights, the right to correct erroneous data, and the right to flag obsolete data that should have been purged. Those rights were well-enforced.

There’s also GDPR’s new definition of consent. It’s a wordier definition, but it boils down to more or less exactly what data consents were always supposed to be—unambiguous, freely given, and revocable at will.

Another superficial change is GDPR’s provision on “special” or “sensitive” data. It all but restates the old “sensitive data” rules, only it brings “genetic” and “biometric” data into the mix.

You said GDPR introduces breach notification. Are you saying the EU has imposed the world’s toughest data protection law for 20 years, yet a concept as basic as breach notification is new in Europe? Did breach notification land out of nowhere on May 25?

Yes.Breach notification is a huge GDPR “add.” The old EU data directive tried to “close the barn door before the cow got out” by imposing rules to protect personal data, including data security rules—and then just sort of assumed companies would follow those rules. Under that utopia, there would be no data breaches. So, the old EU data directive didn’t even mention breaches. I think the drafters of the old law actually overlookeddata breaches in 1998.

Since about the year 2000, American states pulled ahead, passing robust data breach notification laws. Some individual European countries like Germany and Denmark passed their own local breach notification laws, but it was a patchwork at best.

Only on May 25, with GDPR, did the EU implement a comprehensive Europe-wide data breach notification regime. And it’s quite tough: amazingly, GDPR requires breach notification within 72 hours of learning about a breach. Some say that target will be impossible for companies to hit.

What about data exports to U.S. headquarters and the cloud?

For two decades, it’s been illegal to export personal data outside of Europe and to the United States (or to any other country Europeans have not designated as offering “adequate protections”) unless the data export is through a pre-approved channel. The major “channels” are Model Contractual Clauses, Privacy Shield, and Binding Corporate Rules.

This is a huge issue for U.S.-based multinationals. The EU data export channels are complex and expensive to comply with. Some companies have spent millions of dollars, for example, on Binding Corporate Rules.

But these channels have been around for years (Privacy Shield is just a couple of years old, but its predecessor Safe Harbor was around too long—no one misses Safe Harbor). GDPR didn’t change the export channels. The EU might change them later, but nothing significant happened on May 25 as to data exporting.

Indeed, the fact that data exporting did not change under GDPR illustrates the point about media hype. If GDPR was as monumental as the popular press insisted it was, then why is the all-important issue of data exporting exactly the same today as it was on May 24?

What about Brexit? Is Britain going to escape GDPR?

At least for now. GDPR applies in Britain until Brexit happens next year—the scheduled Brexit date is March 29, 2019. But Britain is scrambling to get designated an “adequate protections” jurisdiction, to facilitate free data flows with the EU. And GDPR doesn’t seem particularly unpopular among Britons. Until you hear otherwise, assume Britain is going to be subject to GDPR till next March, and then will transition to some parallel universe-type regime. U.K. will likely be like Switzerland: Not in the EU, but in the EU’s data-law regime.

What should American companies do about GDPR?

Comply.

Donald C. Dowling Jr. is a shareholder at Littler, the largest law firm in the world exclusively devoted to representing management in employment, employee benefits, and labor law matters. He has extensive experience advising U.S.-based companies on outbound international labor and employment laws. Dowling provides counsel on a wide variety of global employment law matters, including codes of conduct and HR policies that guide operations in multiple jurisdictions, international compensation and benefits issues, whistleblower hotlines, and cross-border internal investigations and HR compliance audits. He regularly advises clients on employment matters that arise with international restructurings, reductions in force, mergers, acquisitions, and outsourcing. Additionally, Dowling helps clients properly engage independent contractors overseas, manage expatriate programs, and develop employment agreements and employee handbooks.